ryuk | 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

Analysis

max time kernel
153s
max time network
61s
platform
windows7_x64
resource
win7v20210408
submitted
10-07-2021 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
Size

144KB
MD5

89895cf4c88f13e5797aab63dddf1078
SHA1

1efc175983a17bd6c562fe7b054045d6dcb341e5
SHA256

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
SHA512

d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'UWUEbcQLr'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

1073r.exeATICfQfcDlan.exeOqdxPrOLTlan.exe

pid process

1468 1073r.exe
520 ATICfQfcDlan.exe
928 OqdxPrOLTlan.exe

pid	process
1468	1073r.exe
520	ATICfQfcDlan.exe
928	OqdxPrOLTlan.exe

Loads dropped DLL 6 IoCs

Processes:

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

pid	process
1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

1552 icacls.exe
1632 icacls.exe

pid	process
1552	icacls.exe
1632	icacls.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

description	ioc	process
File opened (read-only)	\??\E:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\Y:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\X:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\U:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\R:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\O:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\F:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\Z:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\I:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\W:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\T:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\Q:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\M:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\H:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\G:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\J:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\V:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\S:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\P:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\N:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\L:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\K:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Drops file in Program Files directory 64 IoCs

Processes:

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DismountUnlock.dib	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\meta-index	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\HideTest.mp2v	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\ClearAssert.jpg	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcjavas.inc	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson_Creek	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DissolveNoise.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

pid	process
1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1276 wrote to memory of 1468	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	1073r.exe
PID 1276 wrote to memory of 1468	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	1073r.exe
PID 1276 wrote to memory of 1468	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	1073r.exe
PID 1276 wrote to memory of 1468	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	1073r.exe
PID 1276 wrote to memory of 520	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	ATICfQfcDlan.exe
PID 1276 wrote to memory of 520	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	ATICfQfcDlan.exe
PID 1276 wrote to memory of 520	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	ATICfQfcDlan.exe
PID 1276 wrote to memory of 520	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	ATICfQfcDlan.exe
PID 1276 wrote to memory of 928	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	OqdxPrOLTlan.exe
PID 1276 wrote to memory of 928	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	OqdxPrOLTlan.exe
PID 1276 wrote to memory of 928	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	OqdxPrOLTlan.exe
PID 1276 wrote to memory of 928	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	OqdxPrOLTlan.exe
PID 1276 wrote to memory of 1632	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe
PID 1276 wrote to memory of 1632	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe
PID 1276 wrote to memory of 1632	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe
PID 1276 wrote to memory of 1632	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe
PID 1276 wrote to memory of 1552	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe
PID 1276 wrote to memory of 1552	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe
PID 1276 wrote to memory of 1552	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe
PID 1276 wrote to memory of 1552	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe
PID 1276 wrote to memory of 1808	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 1276 wrote to memory of 1808	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 1276 wrote to memory of 1808	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 1276 wrote to memory of 1808	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 1276 wrote to memory of 112	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 1276 wrote to memory of 112	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 1276 wrote to memory of 112	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 1276 wrote to memory of 112	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 1808 wrote to memory of 1572	1808	net.exe	net1.exe
PID 1808 wrote to memory of 1572	1808	net.exe	net1.exe
PID 1808 wrote to memory of 1572	1808	net.exe	net1.exe
PID 1808 wrote to memory of 1572	1808	net.exe	net1.exe
PID 1276 wrote to memory of 1884	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 1276 wrote to memory of 1884	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 1276 wrote to memory of 1884	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 1276 wrote to memory of 1884	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 1276 wrote to memory of 1032	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 1276 wrote to memory of 1032	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 1276 wrote to memory of 1032	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 1276 wrote to memory of 1032	1276	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	net.exe
PID 112 wrote to memory of 948	112	net.exe	net1.exe
PID 112 wrote to memory of 948	112	net.exe	net1.exe
PID 112 wrote to memory of 948	112	net.exe	net1.exe
PID 112 wrote to memory of 948	112	net.exe	net1.exe
PID 1884 wrote to memory of 1144	1884	net.exe	net1.exe
PID 1884 wrote to memory of 1144	1884	net.exe	net1.exe
PID 1884 wrote to memory of 1144	1884	net.exe	net1.exe
PID 1884 wrote to memory of 1144	1884	net.exe	net1.exe
PID 1032 wrote to memory of 1832	1032	net.exe	net1.exe
PID 1032 wrote to memory of 1832	1032	net.exe	net1.exe
PID 1032 wrote to memory of 1832	1032	net.exe	net1.exe
PID 1032 wrote to memory of 1832	1032	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
"C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\1073r.exe
"C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
2⤵
- Executes dropped EXE
PID:1468

C:\Users\Admin\AppData\Local\Temp\ATICfQfcDlan.exe
"C:\Users\Admin\AppData\Local\Temp\ATICfQfcDlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:520

C:\Users\Admin\AppData\Local\Temp\OqdxPrOLTlan.exe
"C:\Users\Admin\AppData\Local\Temp\OqdxPrOLTlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:928

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1552

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1632

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1572

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:948

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1832

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml

MD5
236e8aae74ede9a31ece29d8af45f87b

SHA1
c8db800f97cd5ace8ec0cef74564d8b5fdbdcf25

SHA256
11c0e5bdc0ed61d1a8b5b5bb84fb4938932be616363f3f7c565e807a889f598d

SHA512
c48023e74648171f3e874f1483fe3a9be0a055d2c09049929185785b94cd3d6aaf7f09348498777a44bb40e760bb83d0de68d2a03d54224042057d6d24b03b23

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.RYK

MD5
502791bee2d315090d243e2ff38e4c42

SHA1
07d2866e233284ff255657ebaaa9906dfcff3033

SHA256
7f3650fa8125dc96ac713b0f5007c7dc1a8af0da71aa5477221c9fb864086c0a

SHA512
b4186a71eef1e76e751144985dee8fd3bf0cc2688f9c1a1951d3706fc8b189b4290bbf30d36a892dd0741918bc39bf4aee85201481b245c71a46edda055cbadc

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml.RYK

MD5
d421c150c991c6606865eef9b77f2fb9

SHA1
7f554bbd2cc5eb8e6d8760dba112138e3e42fa21

SHA256
64b750c871eb80fd695706651af0089da990e3b08c24944d405975da2e4b1e92

SHA512
355a6a7cd6c7204fbfd99c1c31766dc978010ab3bf41ec9dab8e36b21d4de9ab54304812c5a7a9060af4bb485245d3f60c5ddd94a5f85d47feafbcab4220b5c9

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
62f274d72edda67430e0eeffadb275db

SHA1
d6028a47c4dd26bf2f2b930fea1b36210d549758

SHA256
ebe02a9d5d6bc67f11bb6cec39113f5317f70ab5f1d20babca9e18717af2f2da

SHA512
21f94a906183dfcf17615d168eaa2fef10bb621ef4f03f029e0f9890059516994add221a2973b8d3fc550da44db583b195d2dded39ae305ec2a2a8fec03a3009

Download Submit
C:\MSOCache\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\PerfLogs\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1073r.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1073r.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATICfQfcDlan.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATICfQfcDlan.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OqdxPrOLTlan.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OqdxPrOLTlan.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Users\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
\Users\Admin\AppData\Local\Temp\1073r.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
\Users\Admin\AppData\Local\Temp\1073r.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
\Users\Admin\AppData\Local\Temp\ATICfQfcDlan.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
\Users\Admin\AppData\Local\Temp\ATICfQfcDlan.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
\Users\Admin\AppData\Local\Temp\OqdxPrOLTlan.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
\Users\Admin\AppData\Local\Temp\OqdxPrOLTlan.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
memory/112-102-0x0000000000000000-mapping.dmp

Download
memory/520-67-0x0000000000000000-mapping.dmp

Download
memory/928-71-0x0000000000000000-mapping.dmp

Download
memory/948-106-0x0000000000000000-mapping.dmp

Download
memory/1032-105-0x0000000000000000-mapping.dmp

Download
memory/1144-107-0x0000000000000000-mapping.dmp

Download
memory/1276-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1468-63-0x0000000000000000-mapping.dmp

Download
memory/1552-74-0x0000000000000000-mapping.dmp

Download
memory/1572-103-0x0000000000000000-mapping.dmp

Download
memory/1632-73-0x0000000000000000-mapping.dmp

Download
memory/1808-101-0x0000000000000000-mapping.dmp

Download
memory/1832-108-0x0000000000000000-mapping.dmp

Download
memory/1884-104-0x0000000000000000-mapping.dmp

Download